b'OFFICE OF INSPECTOR GENERAL\n               Audit Report\nFiscal Year 2009 Evaluation of Information Security\n         at the Railroad Retirement Board\n\n\n                 Report No. 10-01\n                November 12, 2009\n\n\n\n\n   RAILROAD RETIREMENT BOARD\n\x0c                                       TABLE OF CONTENTS\n\n\nIntroduction\n Background ................................................................................................................. 1\n Objectives.................................................................................................................... 2\n Scope .......................................................................................................................... 2\n Methodology ................................................................................................................ 2\n\n\nResults of Evaluation\n Certification and Accreditation ..................................................................................... 4\n Access Control ............................................................................................................ 6\n Risk Assessment ......................................................................................................... 7\n Policies and Procedures .............................................................................................. 8\n Security Plans.............................................................................................................. 9\n Training...................................................................................................................... 10\n Testing and Evaluation of Agency Information Systems............................................ 11\n Testing and Evaluation of Contractor Information Systems ....................................... 12\n Remedial Action Process........................................................................................... 14\n Incident Handling and Reporting ............................................................................... 15\n Continuity of Operations ............................................................................................ 16\n Inventory of Systems ................................................................................................. 16\n\n\nAppendices\n Appendix I Information Security Awareness Training ............................................... 18\n Appendix II Bureau of Information Services Management\xe2\x80\x99s Response .................... 20\n\n\n\n\n                                                               i\n\x0c                                        INTRODUCTION\n\nThis report presents the results of the Office of Inspector General\'s (OIG) evaluation of\ninformation security at the Railroad Retirement Board (RRB).\n\nBackground\n\nThe RRB administers the retirement/survivor and unemployment/sickness insurance\nbenefit programs for railroad workers and their families under the Railroad Retirement\nAct (RRA) and the Railroad Unemployment Insurance Act (RUIA). These programs\nprovide income protection during old age and in the event of disability, death, temporary\nunemployment or sickness. The RRB paid over $10.1 billion in benefits during fiscal\nyear (FY) 2008. The RRB is headquartered in Chicago, Illinois and has 53 Field Offices\nacross the nation.\n\nThroughout much of FY 2009, the RRB\'s information system environment consisted of\nsix major application systems and two general support systems, each of which has\nbeen designated as a moderate impact system in accordance with standards and\nguidance promulgated by the National Institute of Standards and Technology (NIST).\nThe major application systems correspond to the RRB\'s critical operational activities,\nincluding RRA benefit payments, RUIA benefit payments, maintenance of railroad\nemployees\' service and compensation records, administration of Medicare entitlement,\nfinancial management, and the RRB\'s financial interchange with the Social Security\nAdministration. The two general support systems comprise the mainframe computer\nand the local area network/personal computer (LAN/PC) systems. In September 2009,\nthe RRB combined four of their six major applications into one major application, benefit\nand payment operations. 1\n\nThis evaluation was conducted pursuant to Title III of the E-Government Act of 2002,\nthe Federal Information Security Management Act of 2002 (FISMA), which requires\nannual agency program reviews, Inspector General security evaluations, an agency\nreport to the Office of Management and Budget (OMB), and an OMB report to\nCongress. FISMA also establishes minimum requirements for the management of\ninformation security in nine areas:\n\n    \xc2\xbe   Risk Assessment\n    \xc2\xbe   Policies and Procedures\n    \xc2\xbe   Security Plans\n    \xc2\xbe   Training\n    \xc2\xbe   Testing and Evaluation\n    \xc2\xbe   Remedial Action Process\n    \xc2\xbe   Incident Handling and Reporting\n    \xc2\xbe   Continuity of Operations\n    \xc2\xbe   Inventory of Systems\n\n\n1\n The four major applications combined into benefit and payment operations are RRA benefit payments,\nRUIA benefit payments, maintenance of railroad employees\' service and compensation records, and\nadministration of Medicare entitlement.\n\n                                                 1\n\x0cInformation security means protecting information and information systems from\nunauthorized access, use, disclosure, disruption, modification or destruction in order to\nprovide confidentiality, integrity, and availability. An information system is a "discrete\nset of information resources organized for the collection, processing, maintenance, use,\nsharing, dissemination, or disposition of information. Information resources include\ninformation and related resources, such as personnel, equipment, funds and information\ntechnology." 2\n\nThe OIG previously evaluated information security at the RRB from FYs 2000 through\n2008, and reported weaknesses throughout the RRB\'s information security program. 3\nThe OIG also cited the agency with significant deficiencies in access controls in the\nmainframe and LAN environments, as well as delays in meeting FISMA requirements\nfor both risk assessments and periodic testing and evaluation.\n\nThe Bureau of Information Services (BIS), under the direction of the Chief Information\nOfficer, is responsible for the RRB\'s information security and privacy programs. FISMA\nrequires agencies to report any significant deficiency as a material weakness under the\nFederal Managers\' Financial Integrity Act. 4\n\nObjectives\n\nThe objectives of this evaluation were to fulfill the requirements of FISMA which include:\n\n    1. evaluating the RRB\'s information security program, including the effectiveness of\n       the information security policies, procedures, and practices of a representative\n       subset of agency information systems; and\n\n    2. assessing the RRB\'s compliance with FISMA requirements and related\n       information security policies, procedures, standards, and guidelines.\n\nScope\n\nThe scope of this evaluation was information security at the RRB during FY 2009. This\nincluded the status of audit recommendations for corrective action which resulted from\nprior audits and evaluations performed from FY 2000 through FY 2009.\n\nMethodology\n\nTo meet the first objective, the OIG audited the general and application controls over\nthe financial management major application system using the methodology contained in\nthe Government Accountability Office\'s (GAO) Federal Information System Controls\n\n\n2\n  Minimum Security Requirements for Federal Information and Information Systems, NIST Federal\nInformation Processing Standards Publication 200 (March 2006).\n3\n  OIG audit reports are maintained on the RRB website at http://www.rrb.gov/oig/library.asp.\n4\n  A significant deficiency is a weakness in an agency\'s overall information systems security program or\nmanagement control structure, or within one or more information systems that significantly restricts the\ncapability of the agency to carry out its mission or compromises the security of its information, information\nsystems, personnel, or other resources, operations, or assets.\n\n                                                     2\n\x0cAudit Manual (FISCAM). 5, 6 We also performed a system-level assessment of security\ncontrols over the Medicare major application. 7 Additionally, we considered tests of\nsecurity controls over access and the segregation of duties in conjunction with OIG\naudits of the agency\'s FY 2008 financial statement preparation and the accounts\npayable subsystem of the financial management major application. 8\n\nTo meet the second objective, we considered the results of prior audits and evaluations\nof information security from FY 2000 through FY 2009, including the status of related\nrecommendations for corrective action. We also obtained and reviewed documentation\nsupporting the RRB\'s performance in meeting FISMA requirements and interviewed\nresponsible agency management and staff.\n\nThe primary criteria for this evaluation included:\n\n    \xe2\x80\xa2   FISMA,\n    \xe2\x80\xa2   NIST standards and guidance,\n    \xe2\x80\xa2   OMB Circular A-130, 9\n    \xe2\x80\xa2   OMB memoranda,\n    \xe2\x80\xa2   GAO FISCAM, and\n    \xe2\x80\xa2   GAO Standards for Internal Control in the Federal Government. 10\n\nWe conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the\naudit to obtain sufficient, appropriate evidence to provide a reasonable basis for our\nfindings and conclusions based on our audit objectives. We believe that the evidence\nobtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. Fieldwork was conducted at RRB headquarters in Chicago, Illinois,\nfrom May 2009 through October 2009.\n\n\n\n\n5\n  Federal Information System Controls Audit Manual, GAO/AIMD-12.19.6 (January 1999), and revision\nGAO-09-232G (February 2009).\n6\n  Audit of the General and Application Controls in the Financial Management Major Application System,\nOIG Report No. 09-05, September 30, 2009.\n7\n  Audit of the Railroad Retirement Board\'s Medicare Major Application System, OIG Report No. 09-06,\nSeptember 30, 2009.\n8\n  Fiscal Year 2008 Financial Statement Audit Letter to Management, OIG Report No. 09-02, March 24,\n2009, and Audit of Internal Control Over Accounts Payable, OIG Report No. 09-03, March 31, 2009.\n9\n  Management of Federal Information Resources, OMB Circular A-130 (November 2000).\n10\n   Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999).\n\n                                                   3\n\x0c                                   RESULTS OF EVALUATION\n\nThe RRB has not yet achieved a fully effective information security program. The RRB\nhas implemented all nine program elements required by FISMA; but the security\nprogram, as a whole, is undermined by significant deficiencies in access control and the\ninternal control over the certification and accreditation review process. Additionally,\nsome previously identified lesser deficiencies in the implemented FISMA elements\ncontinue to exist.\n\nDuring FY 2009, the agency has taken action to correct previously reported significant\ndeficiencies in risk assessments and periodic testing and evaluation, and completed\ntheir first NIST compliant certification and accreditation program. However, an\nineffective review process for contractor deliverables has resulted in a significant\ndeficiency in internal control over the certification and accreditation process.\n\nDuring FY 2009, we also observed that although the agency has corrected the\nsignificant deficiencies in risk assessments and periodic testing and evaluation, some\nweaknesses in those areas continue to exist. Additionally, we observed other areas\nwhere security program improvements should be made, such as the implementation of\nthe RRB\'s agency-wide configuration policy.\n\nThe details of our findings and recommendations for corrective action follow. Agency\nmanagement has agreed to take corrective actions for all recommendations. The full\ntext of management\'s response is included in this report as Appendix II.\n\nCertification and Accreditation\n\nThe RRB\'s certification and accreditation process is ineffective and represents a\nsignificant deficiency in the RRB\'s internal control structure.\n\nOMB Circular A-130, Appendix III requires that agency management authorize systems\nfor processing based on the formal technical evaluation of the management, operation,\nand technical controls. This process is also known as certification and accreditation,\nand it should occur at least every three years or when there has been a significant\nchange to the system. Additionally, continuous monitoring should be performed on a\nregular basis. This includes the assessment of a subset of security controls, and the\nreporting and documentation of the results of the assessment.\n\nGAO has defined internal control as "the plans, methods, and procedures used to meet\nmissions, goals, and objectives and, in doing so, supports performance-based\nmanagement. Internal control also serves as the first line of defense in safeguarding\nassets and preventing and detecting errors and fraud. In short, internal control, which is\nsynonymous with management control, helps government program managers achieve\ndesired results through effective stewardship of public resources." 11\n\n\n\n\n11\n     Standards for Internal Control in the Federal Government, GAO/AIMD-00-21.3.1 (November 1999).\n\n                                                   4\n\x0cThe OIG previously reported that the RRB did not have a NIST compliant certification\nand accreditation program. 12 The agency later contracted with technical specialists to\nassist in the certification and accreditation of the two general support systems and six\nmajor applications.\n\nIn our FY 2008 FISMA report, we identified a weakness in BIS\'s process for reviewing\ncontractor deliverables received for the completed LAN/PC general support system and\nrecommended that BIS review and update the certification and accreditation\ndocumentation. 13 The RRB has not been effective in correcting this weakness.\n\nIn FY 2009, the RRB\'s contractor completed certification and accreditation of the\nremaining two major applications, consolidated the documentation for four major\napplications into one, and conducted continuous monitoring of the agency\'s LAN/PC,\nmainframe, and the newly consolidated benefit and payment operations major\napplication. We reviewed the certification and accreditation documentation completed\nduring FYs 2008 and 2009, as well as the continuous monitoring documentation, and\nobserved that these documents contained many of the same deficiencies as previously\nreported.\n\nOur evaluation of the certification and accreditation and continuous monitoring\ndocumentation disclosed that the RRB\'s review process for contractor deliverables is\nineffective in:\n\n     \xe2\x80\xa2   identifying incomplete and inaccurate information in the description of system\n         environment and interconnections;\n     \xe2\x80\xa2   ensuring that all of the baseline controls have been considered during testing;\n     \xe2\x80\xa2   ensuring that all identified weaknesses have been incorporated in the Plan of\n         Action and Milestones (POAM) for remedial action; and\n     \xe2\x80\xa2   identifying when a designated system owner employee is no longer employed at\n         the RRB.\n\nWe found that the RRB\'s policy for the certification and accreditation of agency systems\ndoes not include consideration of contractor support and the necessary controls that\nmust be in place to ensure adequate contractor deliverables. The RRB\'s certification\nand accreditation process does not provide senior agency officials with complete,\naccurate, and trustworthy information on the security status of the general support\nsystems. Therefore, the senior agency officials have not been provided an adequate\nfactual basis for rendering their security accreditation decisions.\n\n\n\n\n12\n  OIG Report No. 04-11, September 30, 2004, Recommendation 9.\n13\n  OIG Report No. 08-05, September 30, 2008, Recommendations 2 and 7. At the time of our review,\nonly the LAN/PC general support system had been certified and accredited.\n\n                                                5\n\x0cRecommendation\n\nWe recommend that the Bureau of Information Services:\n\n       1. implement controls to ensure an effective certification and accreditation review\n          process that includes complete, accurate, and trustworthy documentation,\n          whether prepared by agency employees or contractor personnel.\n\nManagement\'s Response\n\nThe Bureau of Information Services has agreed with this recommendation and has\nadvised that they initiated a rigorous review of the FY 2009 mainframe and LAN/PC\ndocumentation to resolve any inaccurate or missing information.\n\n\nAccess Control\n\nThe design and implementation of access controls in the RRB\'s general support and\napplication systems is not adequate to meet minimum standards of least privilege.\n\nOMB Circular A-130, Appendix III, defines least privilege as the practice of restricting a\nuser\'s access or type of access to the minimum necessary to perform his or her job.\n\nIn our FY 2001 evaluation of information security, we cited the agency with a significant\ndeficiency in access control and made several recommendations. Since that time,\nadditional recommendations have been made. 14 Although the agency has implemented\ncorrective action for many of the recommendations made since FY 2001, our ongoing\nevaluations show that the agency continues to have difficulty in this area.\n\nOur FY 2009 assessments of information security in the financial management and\nMedicare major applications disclosed weaknesses in access control including:\n\n       \xe2\x80\xa2   user privileges that were not commensurate with job functions;\n       \xe2\x80\xa2   inadequate segregation of duties over transaction level entries and approvals;\n       \xe2\x80\xa2   user account expirations; and\n       \xe2\x80\xa2   password configuration settings.\n\nExcessive rights and privileges weaken the overall information security program.\n\n\n14\n     OIG Report No. 02-04, February 5, 2002, Recommendations 13, 20, and 21.\n     OIG Report No. 04-08, September 7, 2004, Recommendation 1.\n     DSD LAN Report, June 7, 2005, Recommendation 7.\n     DSD WEB Report, June 7, 2005, Recommendation 16.\n     OIG Report No. 05-08, July 18, 2005, Recommendation 10.\n     OIG Report No. 07-08, September 27, 2007, Recommendation 1.\n     OIG Report No. 09-02, March 24, 2009, Recommendations 6, 7, and 8.\n     OIG Report No. 09-03, March 31, 2009, Recommendations 1 and 2.\n     OIG Report No. 09-05, September 30, 2009, Recommendations 1, 2, 3, 4, 6, 7, 8, 11, 12, 13, 14, 15, 19, and 20.\n     OIG Report No. 09-06, September 30, 2009, Recommendations 3, 4, 5, and 6.\n\n                                                      6\n\x0cRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nRisk Assessment\n\nThe RRB\'s contractor has prepared risk assessments as required by FISMA; however,\nmore work is needed to ensure all risk assessments are completed in accordance with\nNIST guidance.\n\nFISMA requires Federal agencies to periodically assess the risk and magnitude of harm\nthat could result from unauthorized access, use, disclosure, disruption, modification, or\ndestruction of information or information systems. NIST SP 800-30, Risk Management\nGuide for Information Technology Systems, presents a risk assessment methodology\nagencies can use when performing their periodic assessments. Organizations use risk\nassessments to determine the potential threats to information and information systems\nand to ensure that the greatest risks have been identified and addressed.\n\nIn FY 2005, we cited the RRB with a significant deficiency because the agency had\nmade little progress in implementing a formal risk assessment process in accordance\nwith NIST guidance. We previously recommended that the agency complete formal,\nNIST compliant, risk assessments of the major application and general support\nsystems. 15 In FY 2008, we reviewed the risk assessment prepared for the LAN/PC\ngeneral support system and found that although the contractor had completed the risk\nassessment in accordance with NIST guidance, some weaknesses in the final product\nexisted. We recommended that the LAN/PC general support system\'s risk assessment\nbe reviewed and updated to accurately reflect the current RRB system environment and\ncontrol analysis. 16\n\nOur review of the risk assessments prepared by the RRB\'s contractor in FY 2008 and\n2009 disclosed weaknesses similar to those previously identified in the contractor\nprepared risk assessment for the LAN/PC general support system. Weaknesses\ninclude incomplete and inaccurate information in the description of the system\nenvironment, as well as missing or not fully documented baseline controls. We attribute\nthese weaknesses to an ineffective review process for contractor deliverables\nperformed by agency personnel. As a result, the effectiveness of the certification and\naccreditation process as a whole is undermined.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\n\n15\n     OIG Report No. 05-08, July 18, 2005, Recommendation 4.\n16\n     OIG Report No. 08-05, September 30, 2008, Recommendation 2.\n\n                                                  7\n\x0cPolicies and Procedures\n\nThe RRB has developed information security policies and procedures as required by\nFISMA, but continues to need improvement in implementing risk-based policies and\nprocedures that are comprehensive and effective in all areas of the agency\'s information\nsecurity and privacy programs.\n\nFISMA requires that agencies include risk-based policies and procedures that reduce\nrisks to an acceptable level and ensure that information security (which includes the\nconfidentiality, integrity, and availability of information) is addressed throughout the life\ncycle of each information system. The policies and procedures should also ensure\ncompliance with minimally acceptable system configuration requirements.\n\nIn prior reviews, we identified many areas in which the development of policies and\nprocedures would strengthen the RRB\'s information security and privacy programs, and\nmade recommendations for overall improvement. Many of these recommendations are\npending corrective action. 17\n\nDuring FY 2009, the RRB completed the development of an agency-wide configuration\npolicy for Windows 2003 servers. Our review of the implementation of the agency-wide\nconfiguration policy showed that the agency has not yet fully implemented the policy for\nall Windows 2003 servers, and their attempts at implementation have not been\nefficiently managed or successful.\n\nWe were advised that the agency-wide policy settings have been made locally on newly\ndeployed Windows 2003 servers in calendar year 2008, and that BIS did not keep\nrecords of which servers had been configured with the policy. As of May 2009, the\nagency had an inventory of 39 Windows 2003 servers deployed prior to 2008, and 7\nWindows 2003 servers deployed in 2008. We reviewed the configuration settings for a\nWindows 2003 server deployed in 2008, and found that 42% of the settings do not\nmatch the agency-wide policy. We also observed that no Organizational Unit Group\nPolicy Object had been created to implement the policy agency-wide.\n\nWe were advised that the RRB does not intend to develop an agency-wide configuration\npolicy for Windows 2000 servers because they intend to gradually remove these servers\nfrom the production environment. 18 However, the RRB has not developed a formal plan\nto remove the Windows 2000 servers from the production environment. Such a plan\nshould include timeframes and resources required to complete this phase-out action.\n\n\n17\n   OIG Report No. 07-02, March 9, 2007, Recommendations 2, 3, and 4.\n   OIG Memorandum No. 07-02m, March 9, 2007, Recommendation 1.\n   OIG Report No. 07-04, March 28, 2007, Recommendations 1 and 2.\n   OIG Report No. 07-06, July 30, 2007, Recommendations 5, 6, 7, 13, 14, and 16.\n   OIG Report No. 07-07, July 30, 2007, Recommendations 2 and 4.\n   OIG Report No. 07-09, September 27, 2007, Recommendations 1, 2, 3, 4, 6, 7, 8, 9, 10, 11, 13, 14, 15, 17, and 18.\n   OIG Report No. 09-03, March 31, 2009, Recommendations 7, 12, and 13.\n   OIG Report No. 09-05, September 30, 2009, Recommendations 9, 10, 16, 17, and 18.\n   OIG Report No. 09-06, September 30, 2009, Recommendations 7, 8, and 9.\n18\n   As of May 2009, the agency had an inventory of 73 Windows 2000 servers.\n\n                                                   8\n\x0cDuring FY 2009, the RRB implemented the Federal Desktop Core Configuration\n(FDCC) settings for workstations with Windows XP operating systems. In this process,\nthey documented the deviations necessary to allow the FDCC settings to work properly\nin the RRB LAN/PC general support system. However, our review of the documented\ndeviations showed that some of the reasons for deviation were outdated, inaccurate, or\nincomplete. We also observed other, unidentified, deviations between the FDCC policy\nestablished by NIST and the FDCC settings implemented by BIS. As a result, the RRB\ncannot ensure that their implemented FDCC settings are in full compliance with NIST\nrequirements.\n\nRecommendations\n\nWe recommend that the Bureau of Information Services:\n\n    2. develop and implement a plan to efficiently apply the Windows 2003\n       agency-wide configuration policy to all Windows 2003 servers.\n\n    3. develop a formal plan to remove the Windows 2000 servers from the production\n       environment.\n\n    4. review the implemented FDCC settings against the NIST requirements, and\n       document the reason for any deviations.\n\nManagement\'s Response\n\nThe Bureau of Information Services has agreed to take equivalent corrective action for\nrecommendation two, and has agreed with recommendations three and four. They will:\n\n   \xe2\x80\xa2   evaluate each Windows 2003 server with respect to the server configuration\n       policy, and make the necessary changes or document those items that are\n       deemed to risky to perform;\n\n   \xe2\x80\xa2   develop a project plan for decommissioning the Windows 2000 servers; and\n\n   \xe2\x80\xa2   provide adequate documentation to explain the reasons for any deviations with\n       FDCC requirements.\n\n\nSecurity Plans\n\nThe RRB\'s contractor has prepared system security plans as required by FISMA;\nhowever, more work is needed to ensure all plans are completed in accordance with\nNIST guidance.\n\nFISMA requires that agencies maintain subordinate plans for providing adequate\ninformation security for networks, facilities, and systems or groups of information\nsystems. System security plans document this type of information.\n\n\n                                            9\n\x0cIn FY 2008, we reviewed the LAN/PC system security plan completed by the RRB\xe2\x80\x99s\ncontractor in August 2008, and found that the plan was not completed in accordance\nwith NIST guidance. We noted that the system security plan contained inaccurate or\nmissing information, and recommended that the plan be reviewed and updated to\naddress the inaccurate or missing information. 19\n\nIn FY 2009, we reviewed the RRB\'s remaining system security plans and the updated\nLAN/PC system security plan. Our review of the system security plans disclosed\nweaknesses similar to those previously identified in FY 2008. As previously discussed\nin the certification and accreditation section of this report, no changes had been made\nto the LAN/PC or mainframe system security plans to address the inaccurate or missing\ninformation prepared by the RRB\xe2\x80\x99s contractor.\n\nWe attribute these weaknesses to an ineffective review process for contractor\ndeliverables performed by agency personnel. As a result, the effectiveness of the\ncertification and accreditation process as a whole is undermined.\n\nRecommendation\n\nWe recommend that the Bureau of Information Services:\n\n       5. review and update the mainframe system security plan to address the inaccurate\n          or missing information.\n\nManagement\'s Response\n\nThe Bureau of Information Services has agreed with this recommendation and has\nadvised that they initiated a rigorous review of the FY 2009 mainframe and LAN/PC\ndocumentation to resolve any inaccurate or missing information.\n\n\nTraining\n\nThe RRB has met the FISMA requirement for information security awareness training\nfor employees and contractors, although some previously identified weaknesses in the\nRRB\'s training programs for information security or privacy are pending corrective\naction. 20\n\nFISMA requires agencies to provide security awareness training to employees,\ncontractors, and other users of information systems. In addition to security awareness\ntraining, agencies are required to provide specialized training to personnel with\nsignificant security responsibilities.\n\n\n19\n     OIG Report No. 08-05, September 30, 2008, Recommendation 7.\n20\n     OIG Report No. 06-09, August 24, 2006, Recommendation 1.\n     OIG Report No. 07-06, July 30, 2007, Recommendations 3 and 8.\n     OIG Report No. 07-09, September 27, 2007, Recommendation 12.\n     OIG Report No. 08-05, September 30, 2008, Recommendation 5.\n\n                                                  10\n\x0cOur review of the RRB\'s security awareness training results for FY 2009 showed that\nthe agency was generally compliant with the FISMA provision to provide training to all\nagency employees and contractors. We found that all employees and contractors took\nthe required general information security awareness training, and that employees with\nsignificant security responsibilities took some form of the specialized training assigned\nby the senior agency information security officer. However, we found that two\nemployees with significant security responsibilities did not take the full extent of\nspecialized training because their immediate supervisor overrode the instructions given\nby the senior agency information security officer. 21\n\nAlthough some form of specialized training took place, which meets the requirements of\nFISMA, agency management should be aware of the risk associated with management\noverrides of the internal control environment. Such practices may result in the agency\'s\ninability to meet FISMA requirements in the future. As FISMA requirements were met\nthis year, we offer no additional recommendations for corrective action.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nTesting and Evaluation of Agency Information Systems\n\nThe RRB has implemented a program for periodic testing and evaluation of agency\ninformation systems as required by FISMA; however, more work is needed for a fully\ncompliant testing and evaluation process.\n\nFISMA requires periodic testing and evaluation of the effectiveness of information\nsecurity policies, procedures, and practices performed with a frequency depending on\nrisk, but no less than annually. The periodic testing and evaluation must include testing\nof management, operational and technical controls for every system identified in the\nagency\'s inventory of systems, including contractor operations. NIST SP 800-53A,\nGuide for Assessing the Security Controls in Federal Information Systems, provides\nprocedures for assessing the effectiveness of security controls employed in Federal\ninformation systems and directly supports the certification and accreditation process.\nNIST SP 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems, requires the information system owner to select an appropriate\nsubset of controls for periodic assessment, also referred to as the continuous\nmonitoring phase of certification and accreditation. The controls selected should be\napproved by the authorizing official and the senior agency information security officer.\n\nThe OIG previously reported that RRB tests did not meet FISMA requirements because\nthey did not include all major application systems and were not comprehensive with\nrespect to all three categories of controls: management, operational, and technical. 22\n\n21\n     See Appendix I for details of our testing methodology.\n22\n     OIG Report No. 02-04, February 5, 2002, Recommendation 3.\n     OIG Report No. 03-02, December 27, 2002, Recommendations 1, 2, 3, and 4.\n\n                                                  11\n\x0cIn FY 2005, we cited the RRB with a significant deficiency in its testing and evaluation\nprogram because the agency had made little progress in implementing a compliant\nperiodic testing and evaluation process. In FY 2007, we reported that agency efforts to\nperform NIST compliant tests of certain common controls were not fully effective\nbecause testing did not extend to RRB offices outside of headquarters. 23\n\nOur review of the certification and accreditation documentation prepared by the\nagency\'s contractor in FY 2008 and 2009 disclosed that the risk assessments and\nPOAM had not always been updated to reflect the security test and evaluation results,\nas required by NIST. We were advised that the specific controls selected for testing\nduring the FY 2009 continuous monitoring were agreed to by the system owners and\nthe contractor prior to testing, but observed the Security Test and Evaluation Plan did\nnot specifically identify which individual controls would be tested, and conflicting\ninformation exists in the documentation supporting the test scope and results.\nAdditionally, the contractor reported obtaining current test information through an\ninterview with an employee who had left the RRB\'s employment prior to the contract\naward.\n\nWe attribute these weaknesses to an ineffective agency review process for contractor\nprepared test and evaluation documentation. Inadequate testing and evaluation of\nagency information systems weakens the security program as a whole.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\nManagement\'s Response\n\nRRB management has agreed with our finding, but has offered comments on this area\nof review. See Appendix II for the full text of management\'s comments.\n\n\nTesting and Evaluation of Contractor Information Systems\n\nThe RRB has implemented a policy to perform and document information security site\nassessments, but they have not developed a comprehensive plan to accomplish testing\nand evaluation of the contractor information systems that contain RRB data.\n\nFISMA requires agencies to provide "information security protections \xe2\x80\xa6 of (i)\ninformation collected or maintained by or on behalf of an agency; and (ii) information\nsystems used or operated by an agency or by a contractor of an agency or other\norganization on behalf of an agency \xe2\x80\xa6." Additionally, each agency shall "develop,\ndocument, and implement an agencywide information security program \xe2\x80\xa6 to provide\ninformation security for the information and information systems that support the\noperations and assets of the agency, including those provided or managed by another\nagency, contractor, or other source \xe2\x80\xa6."\n23\n     OIG Report No. 07-08, September 27, 2007, Recommendation 2.\n\n                                                 12\n\x0cIn FY 2008, we reported that the RRB did not have a comprehensive plan for testing\nand evaluation of contractor operations and recommended that BIS develop such a\nplan. 24 BIS responded that they would seek legal counsel to verify which agency\ncontracts should be considered for certification and accreditation as information\nsystems in compliance with FISMA requirements.\n\nWe reviewed the legal opinion prepared by the RRB\'s General Counsel, and observed\nthat BIS was advised to have the senior agency information security officer review the\ncontracts, obtain input from staff and other key participants, and make the necessary\nclassifications regarding contractor information systems. 25\n\nWhen a contractor system is considered an independent information system, a\ncertification and accreditation schedule should be established. If the system is\nconsidered a subsystem functioning as part of an overall general support system or\nmajor application, no independent certification and accreditation is necessary.\nHowever, per NIST requirements, all subsystems classified under an overall general\nsupport system or major application must fall under the same management authority.\nManagement control includes budgetary or operational authority for day-to-day\noperations and maintenance of the information systems. 26\n\nThe RRB has contracted with non-Federal service providers, and other Federal\nagencies. We have observed that many of the RRB\'s contractor systems do not fall\nunder RRB management authority for day-to-day operations. For example, the RRB\nhas contracted for web services with a telecommunications contractor and\nadministrative actions such as disabling user accounts must be requested through the\ncontractor\xe2\x80\x99s work management system. The RRB does not maintain full administrative\ncontrol over these web services and the contract specifically states that the RRB\nrequest maintenance activities through the contractor\xe2\x80\x99s work management system.\n\nIn September 2009, we were advised by the senior agency information security officer\nthat no work had been completed in response to the legal opinion, and that he did not\nintend to report any contractor systems in his FY 2009 FISMA report. Inadequate\ntesting and evaluation of contractor information systems weakens the security program\nas a whole.\n\nRecommendation\n\nWe recommend that the senior agency information security officer:\n\n     6. perform the reviews as instructed by the RRB\'s General Counsel to determine\n        which RRB contractors are independent information systems.\n\n\n24\n   OIG Report No. 08-05, September 30, 2008, Recommendation 3.\n25\n   Classification of Contractor Systems Interacting with RRB\'s Information Systems, Legal Opinion\nL-2009-11, June 15, 2009, page 5.\n26\n   Guide for the Security Certification and Accreditation of Federal Information Systems, NIST SP 800-37,\nChapter 2.3, May 2004.\n\n                                                   13\n\x0cManagement\'s Response\n\nThe Bureau of Information Services has agreed with this recommendation and the\nsenior agency information security officer will review all contractors to determine if they\nare independent information systems.\n\n\nRemedial Action Process\n\nThe RRB\xe2\x80\x99s remedial action process continues to be ineffective in identifying and\nprioritizing all weaknesses in the agency\xe2\x80\x99s information security and privacy programs.\n\nFISMA requires Federal agencies to maintain a process for planning, implementing,\nevaluating, and documenting remedial action to address any deficiencies in the\ninformation security policies, procedures, and practices of the agency. OMB requires\nagencies to develop a formal POAM to identify vulnerabilities in information security and\nprivacy, and to track the progress of corrective action. Each year, OMB requires the\nOIG to assess the agency\xe2\x80\x99s POAM as part of the FISMA reporting process.\n\nThe OIG first criticized the RRB\xe2\x80\x99s POAM in FY 2003 as ineffective in articulating\nweaknesses and planning corrective actions. In FY 2005, we again reported that the\nexisting POAM was not comprehensive with respect to identifying weaknesses, and that\nit provided inadequate prioritization of agency plans and efforts to correct the\nweaknesses found. In FY 2007, we reported that the agency was not preparing action\nplans for their privacy-related weaknesses and those weaknesses were not being\nincorporated into the existing POAM. We made recommendations to address these\nissues. 27\n\nDuring FY 2009, we reviewed the agency POAMs created and/or updated by the\ncontractor during certification and accreditation or continuous monitoring activities and\nobserved that all of the POAMs did not reflect the full results of the security tests and\nevaluations. As separate POAMs for each general support system and major\napplication have been prepared by the contractor, the agency took steps to consolidate\nthe contractor POAMs into one agency-wide POAM for those systems. 28 However, our\nreview of the agency-wide POAM showed that the weaknesses have not been\nprioritized to ensure they would be addressed in a timely manner, milestone tasks and\ndates have not been developed, and the resources needed for remediation have not\nbeen identified. We also observed that system owners were not provided the user\nprivileges to access and update the consolidated agency-wide POAM.\n\n\n\n\n27\n   OIG Report No. 05-11, September 28, 2005, Recommendation 3.\n   OIG Report No. 07-06, July 30, 2007, Recommendation 15.\n28\n   The agency maintains open audit recommendations from OIG reviews separately from the contractor\nprepared POAMs. During FY 2009, the agency worked to address many of the most significant open\naudit recommendations as identified by the OIG, but much work remains to be completed overall. For\nexample, at the time our fieldwork for this FISMA review began in May 2009, the agency had over 100\nopen audit recommendations dealing with information security and privacy.\n\n                                                 14\n\x0cAs a result, agency efforts to date have been insufficient in managing POAM\ndeficiencies, and it is not being used as the management tool OMB intended for\nidentifying vulnerabilities and monitoring agency corrective actions.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\nManagement\'s Response\n\nRRB management has agreed with our finding, but has offered comments on this area\nof review. See Appendix II for the full text of management\'s comments.\n\n\nIncident Handling and Reporting\n\nThe RRB\xe2\x80\x99s incident handling and reporting program is generally effective in ensuring the\nconfidentiality, integrity, and availability of the agency\xe2\x80\x99s information and information\ntechnology, although some previously identified weaknesses are pending corrective\naction.\n\nFISMA mandates that Federal agencies develop, document, and implement procedures\nfor detecting, reporting, and responding to security incidents as part of its agency-wide\ninformation security program. Federal Incident Reporting Guidelines specify categories\nof incidents and timeframes in which Federal agencies are to report incidents to\nUS-CERT. US-CERT uses these reports to analyze the information provided by all\nagencies to identify trends and precursors of attacks. BIS also reports security\nincidents to agency managers each month in the BIS Monthly Administrative Report to\nkeep them apprised of agency actions.\n\nIn FY 2006, the OIG performed a detailed review of the RRB\xe2\x80\x99s incident handling and\nreporting program and found that the agency\xe2\x80\x99s overall efforts were sufficient to meet the\nrequirements established by FISMA. We did, however, recommend some areas where\nprogram management could be improved, including controls to ensure the accuracy and\ncompleteness of internal and external security incident reports. 29\n\nOur review of the RRB\xe2\x80\x99s incident handling and reporting performed during FY 2009 did\nnot disclose any additional weaknesses.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\n\n\n29\n     OIG Report No. 06-09, August 24, 2006, Recommendations 1, 2, 3, 4, 7, 8, 9, and 10.\n\n                                                    15\n\x0cManagement\'s Response\n\nRRB management has offered comments on this area of review. However, they quoted\na statement that did not appear in the draft report released for comment. The matter\ncited was resolved during the briefing process. See Appendix II for the full text of\nmanagement\'s comments.\n\n\nContinuity of Operations\n\nThe RRB has developed a continuity of operations plan that meets the requirements of\nFISMA, although some previously identified weaknesses are pending corrective\naction. 30\n\nFISMA requires Federal agencies to implement plans and procedures to ensure\ncontinuity of operations for information systems that support the operations and assets\nof the agency.\n\nThe RRB provides for semi-annual off-site recovery testing of the two general support\nsystems, and the mainframe databases of its major application systems. Generally, the\nRRB also tests some of the major application batch processes, and LAN connectivity.\nAs a result, the agency\xe2\x80\x99s disaster recovery plan provides assurance that most of the\nagency\xe2\x80\x99s major information technology functions would be operational in the event of a\ndisaster.\n\nOur review performed in FY 2009 did not disclose any additional weaknesses.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\nInventory of Systems\n\nThe RRB has generally complied with FISMA requirements to identify major application\nsystems, but some improvement is still needed with respect to component application\nsystems.\n\nFISMA requires that each agency develop, maintain, and annually update their\ninventory of major information systems. This inventory is to include an identification of\nthe interfaces between each system and all other systems or networks, including those\nnot operated by, or under the control of, the agency.\n\nOur review showed that while the agency has made progress in updating their inventory\nof component applications and server locations, work remains to be completed to\nidentify the component system\xe2\x80\x99s responsible official when security administration is\n30\n     OIG Report No. 07-08, September 27, 2007, Recommendations 5 and 6.\n\n                                                 16\n\x0cdecentralized. 31 Additionally, we previously recommended that the RRB perform a\nphysical inventory of information technology hardware and to update the agency\xe2\x80\x99s\nofficial fixed asset inventory system and implement controls to ensure adequate\nprotection of the RRB network. 32 Those recommendations are currently pending\ncorrective action.\n\nOur review performed in FY 2009 did not disclose any additional weaknesses.\n\nRecommendation\n\nAgency action to implement prior OIG recommendations for corrective action is\npending; the OIG has no additional recommendations to offer at this time.\n\n\n\n\n31\n     OIG Report No. 05-08, July 18, 2005, Recommendation 3.\n32\n     OIG Report No. 07-08, September 27, 2007, Recommendation 7.\n     OIG Report No. 08-05, September 30, 2008, Recommendation 8.\n\n                                                 17\n\x0c                                                                               Appendix I\n\n                         Sampling Methodology and Results\n                      Information Security Awareness Training\n\nThis appendix presents the methodology and results of our judgmental sampling test of\ninformation security awareness training records.\n\nSample Objective\n\nOur objective was to determine whether employees whom the agency reported to have\ntaken information security awareness training received general awareness training, and\nemployees with significant security responsibilities received specialized training.\nAdditionally, we determined whether RRB managers maintained adequate records of\nthe training taken by their employees.\n\nSample Universe\n\nWe selected our sample from the population of 945 RRB employees reported by the\nagency as having taken security awareness training in FY 2009.\n\nSample Review Methodology\n\nWe used judgmental sampling to select a sample size of 40 employees, 18 of which\nrequired the general awareness training and some form of specialized training, and 22\nof which required only the general awareness training. Employees were selected from\na wide variety of agency departments, including those located at headquarters and in\nthe field offices. In our judgment, this sample size was sufficient to determine whether\nthe training provided was appropriate to job function, and fully documented.\n\nFor each RRB employee in our sample, we obtained and reviewed the\nemployee-completed training certification indicating the extent of training taken.\nInterviews were held as necessary.\n\nAn error was defined as:\n    \xe2\x80\xa2 an employee who did not read the basic section of the information security\n       awareness pamphlet;\n    \xe2\x80\xa2 an employee with significant security responsibilities who did not read the\n       additional sections of the information security awareness pamphlet; or\n    \xe2\x80\xa2 a manager who could not produce the required documentation to support the\n       training taken by their respective employees.\n\nResults of Review\n\nWe found that all 40 employees took the required basic security awareness training, as\nreported by the agency. We also found that the 18 employees with significant security\nresponsibilities took some form of specialized training, although 2 did not take the full\nscope of specialized training at the direction of their immediate supervisor. We also\n\n                                            18\n\x0cfound that agency managers maintained adequate documentation to support the\ntraining taken by their employees.\n\nConclusion\n\nThe RRB\'s training records are accurate to support the overall conclusion that the RRB\nhas provided information security awareness training. As some form of specialized\ntraining took place for employees with significant security responsibilities, which meets\nthe requirements of FISMA, we offer no recommendations for corrective action for the\ntwo employees who did not take the full scope of specialized training.\n\n\n\n\n                                           19\n\x0c                                                                                   Appendix II\n                                                                                               FORM G..11S. (1-12)\n                 (JNITED STAT":S G()VERNMENT\n                                                                           RAILROAD RETII(EMIt;N\'I\' B()ARIJ\n                 MEMORANDUM\n\n\n\n                                                                          November 10, 2009\n\n\nTO\t              Letty B. Jay,\n                 Assistant Inspector General for Audit\n\nFROM\t            Terri S. Morgan,          ._        J      A fin/I\n                 Chief Information Officer {Yj)1J;G        LJ\xc2\xb7 V/10f!}{lt\'V-\'\nSUBJECT:\t Draft Report - Fiscal Year 2009 Evaluation of Information Security\n          At the Railroad Retirement Board\n\n\nThe RRB appreciates the opportunity to comment on the Office of Inspector General\'s (OIG) draft\nreport entitled, "Fiscal Year 2009 Evaluation of Information Security At the Railroad Retirement\nBoard." In this draft report, while the OIG acknowledges that the "RRB has implemented aU nine\nelemen~s reqUired by FISMA" for the management of information securityt they still assert at the\n&eRRB has not yet achieved a fully effective information security program" because of "significant\ndeficiencies in access control ana the internal control over the certification and accreditation\nprocess." The OIG states, "The RRB\'s contractor has prepar~d system security plans as\nrequired by FISMA; however, more work is needed to ensure all plans are completed in\naccordance with NtST guidance."\n\nRecommendation #1\nWe recommend that the Bureau of Information Services implement controls to ensure an effective\ncertification and accreditation process that includes complete, accurate and trustworthy\ndocumentatio.n, whether prepared by agency employees or contractor personnel.\n\nRecommendation #5\nWe recommend that the Bureau of Information Services review and update the mainframe\nsystem security plan to address the inaccurate or missing information.\n\nResponse\nBIS concurs with the recommendation regarding documentation but disagrees with the\nstatements regarding the effectiveness 01 the process.\n\nThe RRB believes that we have fully documented that agency systems are robust and exhibit\nsecurity commensurate with the risk and magnitude of the harm resulting from the loss, misuse,\nor unautHorized access to or modification of information. This includes assuring that systems ~nd\xc2\xad\napplications used by the agency operate effectively and provide appropriate confidentialfty,\nintegrity, and availability, using cost-effective management, personnel, operational, and technical\ncontrols. The NIST prescribed certification and accreditation process was con~ucted at the RRB\nand in 2009, the Post-Accreditation phase was initiated. As part of the NIST Risk Management\nFramework process we will review and update all System Security Plan d10cuments every year.\n                    l\n\nThe LAN and Mainframe general support systems will undergo another certification and            .\naccreditation and security control monitoring will be performed on all major applications in\nFY2010. The certification documentation for all systems will become more complete with each\niteration of this process.\n\nThe RRB does not dispute that we should have performed more careful documentation reviews.\nNevertheless, we maintain that the certification and accreditation process produced\n\n                                                20\n\x0c                                                                                   Appendix II\n\n\n\n documentation that fairly and adequately described the risk to agency operations and assets and\n allowed all Designated Accrediting Authorities to make an informed assessment with respect as\n to whether security controls met security reqUirements. Nonetheless, the Bureau of Information\n Services has initiated a rigorous review of the 2009 Mainframe and LAN documentation to\n resolve any inaccurate or missing information. We will completed this review and provide\n updated documents before November 25, 2009.\n\n\n Background for Recommendation #2\n In the evaluation paper the OIG notes, "We reviewed the configuration settings for a Windows\n 2003 server deployed in 2008, and found that 42% of the settings do not match the agency-wide\n policy." Thus, the OIG reconimends that "the Bureau of Information Services develop and\n implement a plan to efficiently apply the Windows 2003 agency-wide configuration policy to all\n Windows 2003 servers" and also "develop a formal plan to remove the Windows 2000 servers\n from the prodlrlction environment."\n\n Recommendation #2\n We recommend that the Bureau of Information Services develop and implement a plan to\n efficiently apply the Windows 2003 agency-wide configuration policy to all Windows 2003 servers.\n\n Response\n BIS disagrees with the recommendation but agrees that certain actions must be taken to evaluate\n the risks of applying the configuration policy to servers already in production.\n\n When the RRBproduced a final Server Configuration Policy in 2009, it was stated that the policy\n would be implemented on all new servers provisioned from that date forward. Changing\n configuration settings on servers that are already used in production may have negative\n ramifications on the server. Making configuration setting changes to such\xc2\xb7 servers may adversely\n affect performance or even disable the applications on the device.\n\n  Each 2003 server will need to be handled discretely to ascertain the impact of making\n, configuration changes. The RRB\'s plan is to list all 2003 servers, evaluating each server with\n  respect to the 2003 Server configuration pplicy. We will\xc2\xb7meet with application business owners\n  and discuss the risks to server configuration changes. If it is acceptable, BIS will make changes\n  that are agreed upon and document those items that are deemed too risky to perform. This\n  methodology will be repeated with each Win 2003 server. This project will commence in J,anuary\n  2010 and is anticipated to be completed in December 2010.\n\nRecommendation #3\n\nWe recommend that the Bureau of Information Services develop a formal plan to remove the\n\nWindows 2000 servers form the production envirQnment.\n\n\nResponse\n\nBIS agrees with this recommendation.\n\n\nWindows 2000 servers are ,not significant security risks as long as they are properly maintained\n\na,nd supported~ Nevertheless, we do intend to replace Windows 2000 machines as funding and\n\nother resources become avaUable.\n\n\nThe plan will commence with a Project Plan Charter for decommissioning Win 2000 servers that\nwill be developed by March 2010. BIS will initiate a kickoff meeting with ADG, Programs, etc. to\ndefine the scope of project and create a work-breakdown structure. As funds are allocated, the\nsoftware and hardware needed will be procured and a schedule will be created that identifies\nimpacted appHcations and their order of migration. Engin~ring will create a Windows 2003 or\n2008 infrastructure with development, test, and production platforms and install the hardware and\nsoftware. Applications will be tested and migrated into the new production environment.\n\n                                                 21\n\x0c;   I:.   \'\n                                                                                                  Appendix II\n\n\n\n               Background for Recommendation #4\n\n               The OIG agrees that "during FY2009, the RRB implemented the Federal Desktop Core\n\n               Configuration (FOCG) settings for workstations with Windows XP operating systems. In this\n\n               process, they documented the deviations necessary to allow the FDCC settings to work properly\n\n               in the RRB LAN/PC general support system. However, our review of the documented deviations\n\n               showed that some of the re8sQns for deviation were outdated, inaccurate, or incomplete. We\n\n               also\' observed other, unidentified, deviations between FDCC policy established by NIST and the\n\n               FDCC settings implemented by BIS. As a result, the RRB cannot ensure that their implemented\n\n               FOCC settings are in full compliance with NIST requirements."\n\n\n               Recommendation #4\n\n               We recommend that the Bureau of Information Services review the implemented FOCC settings\n\n               against the NIST requirements, and document the reason for any deviations.\n\n\n               Response.\n\n               BIS agrees with this recommendation; however the RRB maintains that the agency is in fV"\n\n               compliance with FDCC requirements. We will improve and provide adequate documentation to\n\n               explain reasons for any deviations by December 31, 2009.\n\n\n               Background for Recommendation #6                                                ,\n\n               The OIG attests that "The RRB has implemented a policy to perform and document information\n\n               security site assessments, but they have not developed a comprehensive plan to accomplish\n\n               testing and evaluation of all the RRB\'s contractor information systems....For example, the RRB\n\n               has contracted for web services with a telecommunications contractor, and administrative actions\n\n               such as disabling user accounts mtlst be requested through the contractor\'s work management\n\n               system. The RRB does not maintain full administrative control over these web services, and the\n\n               contract specifically states that the RRB request maintenance activities through the contractor\'s\n\n               work management system."\n\n\n               Recommendation #6\n\n               We recommend that the senior agency information security officer perform the reviews as\n\n               instructed by the RRB;s General Counsel to determine which RRB contractors are independent\n\n               information systems.\n\n\n               Response\n\n               SIS agrees with this recommendation. The seni()r agency information security officer will review\n\n               all contractors to determine if they are independent information systems. The contractor reviews\n\n               will be completed by October 2010.\n\n\n                  PiS response to comments in the ,audit report that did not result in recommendations:\n                  Testing and Evaluatlo\'n Process                                 (\n               .\' The OIG states, "The RRB has implemented a program for periodic testing and evaluation of\n                  agency information systems as required by FISMA; however, more work is needed for a fUlly\n                  compliant testing and evaluation process... We attribute these weaknesses to an ineffective\n                  agency review process for contractor prepared test and evaluation documentation." The RR~\n              . concurs that it has an effective program for periodic testing and evaluation of agency information\n                  systems as required by FISMA and that any prOblems are documentation issues and are not\n                  security related.\n\n               P~an of Action and Milestones (POAM)\n               The OIG states, "The RR\'B\'s remedial action process continues to be ineffective in identifying and\n               prioritiZing all weaknesses in the agency\'s information security, and privacy programs." They\n               state, "Our review of the agency-wide POAM showed that the Y1eaknesses have not been\n               prioritized to ehsure they would be addressed in ,a timely manner, milestone tasks and dates have\n               not been developed, and the resources needed for remediation tlave natbaen identified," The\n               RRB concurs with this preliminary analysis of the POAM that was under development in the\n\n                                                                22\n\x0c                                                                                  Appendix II\n\n\n\n\nSharePoint environment. The 01<3 staff saw a previous developmental version of the POAM that\nhas already been revised and reformatted. The agency-wide\' POAM continues to be a work in\nprogress on SharePoint.\n\nInCldefttH\'anet:ling,:and Response\nThe OI(SstcatEtS,."The RRS":s incident handling and reporting program is generally effective in\nensuring the confidentiality., integrity, and availability of the agency\'s information and in\nir\')formatiQn tectlnology, but some improvem~nt in reporting is needed....Our review of the RRB\'s\nincident:handling and rep~rting performed during FY 2009 showed that the RRB did not\nconsistently report aU security in~idents each month in the SIS Monthly Administrative Report,\nincluding three\' month$.in,which no security incidents had been reported."\n\nFISMA,O:MB Circl.llar A~{130 (Appendix III), NIST SP 800-53, NIST SP 800-61, and the Federal\nIncident Reporting\'Gu\'idelines define the requirements and guidance for federal agency incident\nhandling and response programs. FISI\\JIA and NISTguidance require that federal agencies report\nsecurity incidents to US-CERT within specified time\'frames. FISMA and NIST guidance also\nrequire federal agencies to determine which incidents must be reported internallY,when they\nmustbe report~d and to whom.\n\nThe RRB-C\'ERT submitted all monthly US-CERT Administrative Reports to US-CERT in FY 2009.\nIn accordance with RRB incide"t handling and response procedures, the RRB-CERT also\nsubmitted aU monthly RRB-CERT\' Administrative Reports to the Chief Security Officer and to the\nChief Information Officer. BIS is not required to inclu.de the RRB-CERT Administrative Report\nWithin the BIS Monthly Administrative Report. As the RRB-CERT properly submitted all monthly\nreports to the appropriate e~ernal organizations and internal agency officials, the RRB finds this\ncriticism to be erroneous.\n\n\n\n\nCc:\nPatricia Henaghan\nRobert Laberry\nRobert Piech\n\n\n\n\n                                                   23\n\x0c'